Aliyun OSS or Tencent COS oss upload online access
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent file-upload skill, but users should treat it carefully because it needs cloud storage credentials and creates public file links.
Install only if you need public OSS/COS upload links. Use a dedicated least-privilege cloud key, keep config files private, and verify each file is safe to make publicly accessible before asking the agent to upload it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A file uploaded through this skill may become publicly accessible through the returned URL.
The skill intentionally uploads selected local files or downloaded URL content and returns publicly accessible links. This is aligned with the stated purpose, but the action can expose file contents if invoked on the wrong file.
本地文件:工作区相对路径或绝对路径... 在线超链接:HTTP/HTTPS URL... 成功... 返回远程访问 URL
Use it only for files you explicitly want online, and ask the agent to confirm before uploading sensitive or absolute-path files.
Cloud storage keys may allow uploading objects and possibly other bucket operations depending on the permissions assigned to the key.
The skill needs Aliyun or Tencent cloud access credentials, but the registry metadata does not declare required env vars. The credential use is documented and purpose-aligned, but users should understand the privilege being granted.
OSS_ALIYUN_ACCESS_KEY_ID / OSS_ALIYUN_ACCESS_KEY_SECRET... OSS_TENCENT_SECRET_ID / OSS_TENCENT_SECRET_KEY... 本技能未在 metadata 声明 requires.env
Use a dedicated least-privilege key limited to the intended bucket/path, avoid pasting secrets in public chats, and rotate the key if exposed.
Future installs could pull updated dependency versions that were not exactly the versions reviewed here.
The skill relies on npm packages with caret version ranges. These dependencies are expected for the upload purpose, but installs may resolve newer package versions over time.
"ali-oss": "^6.20.0", "axios": "^1.6.0", "cos-nodejs-sdk-v5": "^2.14.2"
Prefer a lockfile or pinned dependency versions when deploying in higher-trust environments.
Users might be encouraged to dismiss a future security warning without independently checking the credential and upload behavior.
The documentation explains why a security scanner may flag the skill. This is not proof of malicious behavior, but users should not rely on the skill author's explanation alone when evaluating credential-handling risk.
关于平台安全扫描的 Suspicious 标记... 扫描器对此标注 Suspicious 属预期行为
Treat scanner explanations as context only; review the actual credentials, permissions, and upload destinations before use.